Nmap 4.85BETA10 released - needs testing!

[Fyodor <fyodor () insecure org>]

Hi folks.  I'm pleased to release 4.85BETA10, which contains an
amazing number of changes for exactly 1 month of work.  Just the
CHANGELOG entries themselves are 330 lines long!  New goodies include:

o SCTP ping and port scanning support

o Dramatic improvements to the default ping probes based on extensive
  empirical Internet research

o New or substantially improved NSE scripts: http-iis-webdav-vuln,
  socks-open-proxy, http-open-proxy, imap-capabilities

o Major NSE stability improvements

o Major Ncat improvements (particularly to listen mode and EOF
  handling)

o Zenmap goodies, such as being able to save the pretty network
  topology graph images.

o More than 50 other significant bug fixes, new features,
  performance improvements, etc. (described below)

And the really great news is that we're *VERY CLOSE* to our first
stable release in 9 months!  And the changes since 4.76 was released
last year are huge.  From this point on, we're ONLY planning to put in
important bug fixes to help get things stable and ready for release.
We'll soon open up a dev tree in SVN for other patches.

So please test this sucker out!  The more testing we get, the sooner
we can release the stable version!  If you find some good bugs this
weekend, we're prepared to do a new release candidate build on Monday.
You can download 4.85BETA10 in all the regular formats at the normal
location:

http://nmap.org/download.html

Without further ado, here are the significant changes in this monster
release:

Nmap 4.85BETA10 [2009-06-12]

o The host discovery (ping probe) defaults have been enhanced to
  include twice as many probes.  The default is now "-PE -PS443 -PA80
  -PP". In exhaustive testing of 90 different probes, this emerged as
  the best four-probe combination, finding 14% more Internet hosts
  than the previous default, "-PE -PA80". The default for non-root
  users is -PS80,443, replacing the previous default of -PS80. In
  addition, ping probes are now sent in order of effectiveness (-PE
  first) so that less effective probes may not have to be sent. ARP
  ping is still the default on local ethernet networks. [David,
  Fyodor]

o Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocol
  used mostly for telephony related applications.  This brings the
  following new features:
  o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
    chunk, closed ones an ABORT chunk.  This is the SCTP equivalent
    of a TCP SYN stealth scan.
  o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
    closed ports return an ABORT chunk.
  o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
    INIT chunk packets.
  o SCTP-specific IP protocol scan (-sO -p sctp).
  o SCTP-specific traceroute support (--traceroute).
  o The ability to use the deprecated Adler32 algorithm as specified
    in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
  o 42 well-known SCTP ports were added to the nmap-services file.
  o The server scanme.csnc.ch has been set up for your SCTP scan
    testing pleasure. See
    http://seclists.org/nmap-dev/2009/q2/0669.html.
  Part of the work on SCTP support was kindly sponsored by
  Compass Security AG, Switzerland. [Daniel Roethlisberger]

o [NSE] Added http-iis-webdav-vuln.nse, which detects the recently
  discovered WebDAV unicode bug in MS IIS 5.1/6.0 web server which can
  allow arbitrary users to access password protected folders without
  authentication. See
  http://nmap.org/svn/scripts/http-iis-webdav-vuln.nse. [Ron]

o The Nmap Reference Guide has been translated to German by Open
  Source Press and Indonesian by Tedi Heriyanto. You can now read it
  in 16 languages at http://nmap.org/docs.html. We're always looking
  for more translations of Nmap and it's documentation--if you'd like
  to help, see http://seclists.org/nmap-dev/2009/q2/0667.html.

o Open Source Press completed and released the German translation of
  the official Nmap book (Nmap Network Scanning). Learn more at
  http://nmap.org/book/#translations.

o [NSE] Added socks-open-proxy.nse for scanning networks for open
  SOCKS proxy servers. See
  http://nmap.org/nsedoc/scripts/socks-open-proxy.html. [Joao Correa]

o [NSE] http-open-proxy.nse has been updated to attempt HEAD and
  CONNECT methods as well as previously supported GET method.  It
  still tries to reach http://www.google.com through the proxy by
  default, but now also offers an argument for specifying a different
  URL. [Joao Correa]

o [Ncat] There is a backwards-incompatible change in the way that
  listen mode works. The new default behavior is to accept only one
  connection, and quit when the connection ends. This was necessary to
  prevent data loss in some situations; some programs require Ncat to
  send an EOF before they flush their internal buffers and finish
  processing the last bit of data. See
  http://seclists.org/nmap-dev/2009/q2/0528.html for more information.
  Use the new -k or --keep-open option to get the old behavior, in
  which Ncat will accept multiple simultaneous connection, combine all
  their input, and accept more connections after a disconnection.
  [Daniel Roethlisberger, David]

o Ncat handling of newlines on Windows has been improved. CRLF is
  automatically converted to a bare LF when input is from the console,
  but left untouched when it is from a pipe or a file. No newline
  translation is done on output (where it was being done before). This
  makes it possible to transfer binary files with Ncat on Windows
  without any corruption, while still being able to interactively ncat
  into UNIX shells and other processes which require bare
  newlines. Ncat clients now work the same way on UNIX and Windows in
  that respect.  For cases where you do want \r\n line endings (such
  as connections to web and email servers or Windows cmd.exe shells),
  specify -C whether your client is running on UNIX or
  Windows. [David]

o Nmap RPM packages (x86 and x86-64) are now built with OpenSSL
  support (statically linked in to avoid dependencies).  They are also
  now built on CentOS 5.3 for compatibility with RHEL, Fedora, and
  other distributions. Please let us know if you discover any
  compatibility problems (or other issues) with the new RPMs. [Fyodor]

o [Zenmap] The Topology tab now has a "Save Graphic" button that
  allows saving the current topology display as a PNG, postscript,
  PDF, and SVG image.  [Joao Medeiros, David]

o Changed the default UDP ping (-PU) port from 31338 to 40125.  This
  appears to be a better port based on David's empirical testing.

o [NSE] Added the imap-capabilities script, which uses the CAPABILITY
  command to determine the capabilities of a target IMAP mail server.
  A simple supporting IMAP library was added as well. See
  http://nmap.org/nsedoc/scripts/imap-capabilities.html. [Brandon]

o [NSE] Brandon Enright from UCSD reports that, thanks to all the NSE
  fixes in this release, he no longer sees any Nmap crashes in his
  large scale scans. See
  http://seclists.org/nmap-dev/2009/q2/0639.html.

o Zenmap now works on RHEL/CentOS since it no longer requires the
  hashlib library (which was introduced in Python 2.5, but RHEL 5
  still uses 2.4) and removing the pysqlite2 requirement (RHEL does
  not offer that module).  It is still desirable to have pysqlite2
  when available, since it enables Zenmap searching and database
  saving features. [David]

o Ncat can now send SSL certificates in connect mode for client
  authentication by using the --ssl-cert and --ssl-key options.  The
  specified certificates are only sent when requested by the
  server. [Venkat]

o Nmap can now handle -SP and -SA at the same time when running nmap
  as non-root or using IPv6.  It now combines the two port lists [Josh
  Marlow]

o [Ncat] SSL in listen mode now works on systems like BSD in which a
  socket inherits its blocking or non-blocking status from the
  listening socket. [David, Daniel Roethlisberger]

o The --packet-trace/--version-trace options now shows the names of
  version detection probes as they are sent, making the version
  detection process easier to understand and debug. [Tom Sellers]

o The GPG detached signatures for Nmap releases now use the more
  standard .asc extension rather than .gpg.txt.  They can still be
  found at http://nmap.org/dist/sigs/ and the .gpg.txt versions for
  previous releases are still available for compatibility reasons. For
  instructions on verifying Nmap package integrity, see
  http://nmap.org/book/install.html#inst-integrity. [Fyodor]

o [Zenmap] Fixed two bugs: 1) When two scans are performed in Zenmap
  and aggregated, the first one was being modified in the process,
  preventing you from doing diffs in the "compare scans" dialogue or
  properly saving the first scan individually. 2) If you start two
  scans, then the faster one finishes and you cancel and remove the
  slower one while still in progress, much of the results from both
  scans are lost. [Josh Marlow]

o [Ncat] When connecting to an SSL service in verbose mode, Ncat now
   prints confirmation of the SSL connection, some certificate
   information, and a cert fingerprint. For example:
   SSL connection to 64.147.188.3:443. Electronic Frontier Foundation
   SHA-1 fingerprint: 28BE B476 2E49 7ED5 3A9B 4D79 AD1E 69A9 82DB C75A

o [NSE] Clean up output (generally reducing default verbosity) for the
  p2p-conficker, smb-check-vulns, and http-iis-webdav-vuln scripts. In
  general, we don't ask scripts to report that a host is clean unless
  Nmap's verbosity level (-v) is at least one or two. [Ron, Fyodor]

o [Zenmap] Added the -PS22,25,80 option found in the Quick Traceroute
  profile to some of the Intense scan profiles for improved host
  discovery. [Josh Marlow]

o Fixed a bug with the --defeat-rst-ratelimit option which prevented
  it from working properly.  See this thread:
  http://seclists.org/nmap-dev/2009/q2/0476.html. [Josh]

o [Ndiff] Avoid printing a "Not shown:" line if there weren't any
  ports in the non-shown (extraports) list. [David]

o [Ncat] Fixed Ncat compilation with versions of OpenSSL before 0.9.7.
  Previously it would fail in ncat_openssl.c with the message
  "structure has no member named `it'". The problem was reported by
  Jaroslav Fojtik. [David]

o [NSE] Removed the packet.hextobin(str) and packet.bintohex(str)
  functions. They are redundant since you get the same functionality
  by calling bin.pack("H", str) and bin.unpack("H", str),
  respectively. [Patrick]

o [NSE] Fixed the parsing of --script-args, which was only accepting
  alphanumeric characters and underscores in values. Now a key, value,
  or array value may be a sequence of any characters except '{', '}',
  ',', '=', and all space characters. You may overcome this
  restriction by using quotes (single or double) to allow all
  characters within the quotation marks. You may also use the quote
  delimiter inside the sequence so long as it is escaped by a
  backslash. See
  http://seclists.org/nmap-dev/2009/q2/0211.html. [Patrick]

o [NSE] When a script ends for any reason, all of its mutexes are now
  unlocked.  This prevents a permanent (and painful to debug) deadlock
  when a script crashes without unlocking a mutex. See
  http://seclists.org/nmap-dev/2009/q2/0533.html. [Patrick]

o Fixed a bug wherein nmap would not display the post-scan count of
  raw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow]

o Changed the ICMP ping probes to use a random non-zero ICMP id.
  David's empirical testing found that some hosts drop probes when the
  ICMP id is 0 [Josh Marlow]

o [NSE] Fixed a --script argument processing bug in which Nmap would
  abort when an expression matches a set of scripts which were loaded
  by other expressions first (a simple example is "--script
  default,DEFAULT". [Patrick]

o [Zenmap] Operating system icons are now always loaded as PNGs, even on
  platforms which support SVG images. That is much faster, and Zenmap
  currently never scales the images anyway. [Josh]

o [Ncat] The Nmap Windows uninstaller now removes the Ncat CA list
  (ca-bundle.crt) which has been installed since 4.85BETA9. [Jah]

o Optimized some Nmap version detection match lines for slightly
  better performance. See
  http://seclists.org/nmap-dev/2009/q2/0328.html. [Brandon]

o [NSE] Upon connection failure, a socket now immediately unlocks its
  "socket lock" to allow other pending socket connections to succeed
  sooner. This slightly improves scan speeds by eliminating the wait
  for garbage collection to free the resource. [Patrick]

o [NSE] Corrected a bug in nse_nsock.cc that could result in a crash
  from the use of an invalid Lua state if a thread is collected due to
  timeout or other rare reasons. Essentially, the callbacks from the
  nsock library were returning to an already-collected Lua state. We
  now maintain a reference to the Lua State Thread in the nsock
  userdata environment table to prevent early collection.  This is a
  temporary patch for the stable release pending a more detailed
  review of the NSE nsock library binding. [Patrick]

o [NSE] When an NSE script in the database (script.db) is requested
  but not found on the filesystem, Nmap now prints a warning rather
  than aborting. We accidentally shipped with such a phantom script
  (smb-check-vulns-2.nse) in 4.85BETA8. [Patrick]

o Fixed a bug where an ICMP echo, timestamp, or address mask reply
  could be matched up with the wrong ICMP probe if more than one ICMP
  probe type was being sent (as with the new default ping). This lead
  to timing calculation problems. [David]

o Improved the host expression parser to better handle a few cases
  where invalid target specifiers would case Nmap to scan unintended
  hosts. See http://seclists.org/nmap-dev/2009/q2/0319.html. [Jah]

o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
  searching scan results by date. [David]
  The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, in
  set_date TypeError: argument must be sequence of length 9, not 3

o Patched configure.ac to detect Lua include and library files in
  "lua5.1" subdirectories of /usr/include and the like. Debian
  apparently puts them there. We still check the likes of
  /usr/include/lua.h and /usr/include/lua/lua.h as well. [Jan
  Christoph Nordholz]

o Improved nsock's fselect() to be a more complete replacement for
  select() on the Windows platform. In particularly, any or all of the
  FD sets can be null or empty descriptor sets. This fixes an error
  ("nsock_loop error 10022") which would occur when you ran ncat
  --send-only on Windows. [David]

o The --with-openssl= directive now works for specifying the SSL
  location to the nsock library.  It was previously not passing the
  proper include file path to the compiler. [Fyodor]

o The --traceroute feature is now properly disabled for IPv6 ping
  scans (-6 -sP) since IPv6 traceroute is not currently
  supported. [Jah]

o Fixed an assertion failure which could occur on at least SPARC Linux
  The error looked like "nsock_core.c:294: handle_connect_result:
  Assertion `0' failed. Aborted". [David Fifield, Fabio Pedretti]

o Nmap's make install target now uses $(INSTALL) rather than cp to
  copy NSE scripts and libraries to ensure that file permissions are
  set properly. [Fyodor]

o Improved the Oracle DB version detection signatures. [Tom Sellers]

o [NSE] Remove the old nse_macros.h header file. This involved
  removing the SCRIPT_ENGINE_* status defines, moving the likes of
  SCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining use
  of SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines to
  nse_fs.h. [Patrick]

o Cleaned up the libpcre build system a bit by removing Makefile.am
  and modifying configure.ac to prevent unnecessary removal of
  pcre_chartables.cc in some instances. [Fyodor]

o Fixed a bug which would cause Nmap to sometimes miscount the number
  of hosts scanned and produce warnings such as "WARNING: No targets
  were specified, so 0 hosts scanned" when --traceroute and -sP were
  combined. [Jah]

o Changed Nmap and Ncat's configure.ac files to check in more
  situations whether -ldl is required for compilation and add it where
  necessary. [Fyodor]

o When building Nmap RPMs using the spec file, you can now pass in an
  openssl argument, the contents of which are passed to ./configure's
  --with-openssl option. So you can pass rpmbuild an option such as
  --define "openssl /usr/local/ssl". [Fyodor]

o Fixed the make distclean target to avoid a failure which could occur
  when you ran it right after a make clean (it might have failed in
  other situations as well). [David]

o Updated nmap-mac-prefixes with the latest MAC address prefix data
  from http://standards.ieee.org/regauth/oui/oui.txt as of
  5/20/09. [Fyodor]

o Ncat now makes sockets blocking before handing them off to another
  program with --exec or --sh-exec. This is to resolve a failure where
  the command "ncat --exec /usr/bin/yes localhost" would stop sending
  because yes would send data so quickly that kernel send buffers
  could not keep up and socket writes would start generating EAGAIN
  errors. [Venkat]

o Ncat now ignores SIGPIPE in listen mode.  This fixes the command
  "yes | ncat -l --keep-open --send-only", which was failing after the
  first client disconnected due to a broken pipe signal when Ncat
  would try to write more date before realizing that the client had
  closed the connection.

o Version detection can now detect Ncat's --chat mode. [David]


Enjoy the new release!
-Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org